Re: Q: Hiding M$ Exchange behind a firewall ?
On Fri, 22 Dec 2000 22:55:49 +0100, Michael Steiner writes:
>Robert Waldner wrote:
>>
>> On Fri, 22 Dec 2000 16:24:16 +0100, Michael Steiner writes:
>> <snip>
>>
>> Well, the quickfix would be a virtusertable containing something like
>> user@official.domain user@internal.name.of.exchange
>> for each&every user.
>>
>snip
>
>This is what I'm doing here at my home configuration, but for the office
>it was my horor-vision. I thought I could do it in the simple way like:
>
>*@official.domain $1 or *@internal.name.of.exchange
> ^^ ^
> - whatever the correct syntax would be
>
>When I tried to change our network-config in office I learned that does
>not work. Sendmail rejected all incoming mails. Exchange didn't send out
>mails because it didn't find the official.domain.
http://www.sendmail.org/virtual-hosting.html
the virtusertable should look like:
@yourdomain.com %1@othercompany.com
now the exchange needs to feel responisble for othercompany.com. I
strongly suggest to also use the sendmail for outgoing mail, so define
it as smarthost (dunno how this feature´s called with exchange) and
get sendmail to hide it from the world, eg via
MASQUERADE_AS(official.domain)
(and, maybe,
FEATURE(`masquerade_envelope')
). now it only has to relay for the exchange:
/etc/mail/relay-domains:
internal.name.of.exchange RELAY
and et voila, it should be done. my sendmail knowledge ends here, if I
got something wrong, some guru please correct me ;-)
I also recall seeing a thread about exactly this situation sometime
this year in <news:at.linux> so you might want to search deja.com for
it (at.linux, eg german spoken only there ;-) ).
>One additional question I have to you, because I'm running a local
>name-server. (bind) with 2 master-zones set. One for the DMZ and one for
>the internal zone.
>In my understanding it should not be necessary, but to be shure - Do I
>have to set additional entries in my master-zone files like MX records ?
if you´re primare NS for official.domain: yes. first MX (eg lower
precedence) should point to the sendmail (to the DNS-name with the
official IP-address), second one to your ISPs mail-backup.
internal it shouldn´t be necessary, just make sure that your internal
names&addresses aren´t accessible for the outside world, eg use an
access-list like
acl noexternal {
192.168.0.0/16;
127.0.0.0/8;
10.0.0.0/8;
!0/0;
};
zone "intern.waldner.priv.at" {
type master;
file "master/intern.waldner.priv.at";
allow-query { noexternal; };
};
>So 2nd chance to change the system in office with the long version of
>vitualusertable will be 2nd January. (after holidays)
good luck ;-) !
cheers,
&rw
--
/ Ing. Robert Waldner | Network Engineer | T: +43 1 89933 F: x533 \
\ <Waldner@KPNQwest.at> | KPNQwest/AT | Diefenbachg. 35, A-1150 /
Reply to: